When it comes to trading firms, how many are actively working to improve their governance, risk and compliance programs?
Mr. Hyams: I think the trend now is people realize regulators and prosecutors are far more sophisticated and experienced and nuanced individuals, and the risk of not anchoring yourself in something that is going to pass muster with them is just too great to ignore. The only game in town for them now is the Federal Sentencing Guidelines for Organizations, which are guidelines of what an effective compliance program is, and the 2013 release of the updated Committee of Sponsoring Organizations of the Treadway Commission guidelines, which are 17 components and principles put out by five regulating bodies of professional organizations that serve as a blueprint of internal controls. All the compliance activities in an organization are underpinned by a risk assessment that shows what an organization’s exposures are and shows what can harm an organization. On the basis of a risk assessment, an organization can construct an effective program that fits in nicely with the federal guidelines.
Why are these guidelines important?
Mr. Hyams: We are talking about sophisticated and experienced regulators who look at the nuances of these things, look to see if this is a paper program or one that is effectively designed, implemented, reviewed and revised as appropriate. They have staff that is sufficiently competent to audit documents and analyze compliance to see whether employees are adequately informed and whether the corporation is committed to it.
On the basis of that, regulators and prosecutors decide whether to go after individual employees to prosecute and not charge an organization at all, or to mitigate the charges against the corporation. That’s an extremely important aspect of it. There is a realization that exposure for boards and officers has dramatically increased as a result of Dodd-Frank…and I think this is only going to increase, even for nonprofits. It will be difficult for a board and the senior officers to justify to shareholders why they didn’t implement an effective compliance program if that can be a mitigation for heavy sanctions. It almost seems as if it is a mandated prerequisite.
For a company looking to put a GRC program in place, what are the first things they should do?
Mr. Hyams: The very first thing they should do is follow the federal sentencing guidelines recipe for what is an effective compliance program. They need to do a comprehensive risk assessment, construct a risk register, assess the inherent risks. It should be driven by the organization’s strategic objectives and the risks to the achievement of those objectives. That leads them to identify those issues that can hurt their organization and makes them prioritize where to put their efforts and funding. From that they will construct a risk and compliance matrix which will identify strategic objectives, identify risks, identify mitigations they have in place to reduce that risk to an acceptable level.
The first exercise is producing a risk register, which anchors the whole activity. Unless they know what can hurt the organization they will not be in a position to ensure the proper mitigations are in place. The problem in the past is this exercise was done on a siloed basis by a number of activities in the organization. It is no longer appropriate to be in a board meeting and to have 12 people come in one after another to discuss the issues in their area. They need to have an integrated approach.
What impact is technology and social media having on the regulatory landscape?
Mr. Hyams: It is having a tremendous impact, but one of biggest risks is there is a generational divide between most of the individuals that sit on boards and who are officers of organizations and the vast majority of younger employees, who are very familiar with technology. Management has a less sophisticated and nuanced knowledge of using social media to discuss corporate affairs. The organization needs very stringent policies and procedures, with very heavy training and strict enforcement, to manage that process. A lot of organizations provide this kind of service to entities, and now can scan social media, scan emails and keywords, and report back to the organization so the organization can review these things and take corrective action. The proliferation of data makes it extremely difficult for management to do this. If they’re inclined to proceed, we advise them right off to seek outside counsel’s advice and to ensure they hook up with an agency that is skilled in those activities. It really is a minefield.
How should companies with businesses in multiples countries and regions approach their GRC programs?
Mr. Hyams: They have to have a global insight into the organization. The way they achieve that will be dependent on the structure of the organization, but there is no substitute for a global risk register. One of the problems is a lot of organizations with global activity came about through acquisitions so each entity may have its own approach. The organization has to be able to point to the global compliance officer, it’s their responsibility to have the organization get its arms around the global issue. If they are operating on a siloed basis, it could be operation in a far-flung place that causes very serious damage.
The issue has to always be whether a particular activity or a particular violation can in and of itself cause significant damage to the organization. The danger is organizations may rate each country, and each operation within a country, then compare scores. This is very dangerous, as there may be one element within that that could bring down the organization or cause severe damage to the organization. The greater danger we see is an organization could take a scoring approach and miss one item that could cause very severe repercussions within the organization.
Original post found here.